GPG commit signing simple setup

GPG commit signing.md

GPG commit signing: a simple setup guide

Warning

This is an incomplete work-in-progress document

1. Install GPG command line tool for Mac OS X using brew install gnupg or an equivalent. You can install all of GPG Suite, but you don't necessarily need more than the Homebrew package.
2. Following the tutorial from Github, generate a 4096 bit RSA key (this is probably the default option); use your GDS email address
3. For GDS users, if you used a non-GDS email address change the email on your key to GDS email
4. Export the key in the terminal, using gpg --export -a <key_id>
5. Copy the key (the whole thing, beginning with -----BEGIN PGP PUBLIC KEY BLOCK----- and ending with -----END PGP PUBLIC KEY BLOCK-----)
6. Add to your GitHub account -> Profile -> Settings -> SSH and GPG keys -> New GPG key
7. Set git to sign commits automatically — you’ll be prompted to sign your commits instead of having to use -s every time:

   git config --global commit.gpgsign true

8. On a new throwaway branch, make an insignificant edit — adding a full-stop to a README.md file or something. It should prompt you for your passphrase.
9. Check that your commit was signed, using git log --show-signature; your commit should look something like

   commit fe971081c36839f27b071ce8a86557aaac61cff1
   gpg: Signature made Fri 26 Jan 10:52:45 2024 GMT
   gpg:                using RSA key B5AXXXXXC44341A146ABCA1AE7E7BAA3A4C0345D
   gpg: Good signature from "Owen Blacker <owen.blacker@XXXXXXX.xx>" [ultimate]
   gpg:                 aka "Owen Blacker <owen.blacker@XXXXXXX.xx>" [ultimate]
   Author: Owen Blacker <owen.blacker@XXXXXXX.xx>
   Date:   Thu Jan 25 15:53:33 2024 +0000
   
    Update triggers to pushes instead of releases
   

10. Push the change up to Github and you'll see the commit shows up as Verified:
11. Now you can delete the throwaway branch you committed to.